b"          Federal Housing Finance Agency\n              Office of Inspector General\n\n\n\n\nAction Needed to Strengthen FHFA\nOversight of Enterprise Information\n  Security and Privacy Programs\n\n\n\n\n Audit Report \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013\n\x0c                  Action Needed to Strengthen FHFA Oversight of\n                  Enterprise Information Security and Privacy Programs\n                  Why OIG Did This Audit\n                  Recent reports and testimony from organizations such as the Financial Stability\n                  Oversight Council and the Federal Bureau of Investigation emphasize the growing\n                  threat of cyber attacks against government and private sector computers and networks.\nSynopsis          These attacks pose a significant risk to the safety and soundness of financial\n                  organizations, including Fannie Mae and Freddie Mac (the enterprises), which store\n    \xe2\x80\x94\xe2\x80\x94\xe2\x80\x94           personal protected information (PPI) for 28 million active borrowers as well as other\n                  sensitive financial information. If that PPI was compromised, the enterprises, FHFA,\nAugust 30, 2013   and the Treasury Department could be exposed to significant financial risk. Trust in\n                  the enterprises would also suffer greatly, harming relations with borrowers and\n                  financial institutions. FHFA is responsible for overseeing enterprise information\n                  security to help mitigate the growing threat of cyber attacks, as well as enterprise\n                  privacy programs to help protect sensitive borrower information. The objective of this\n                  audit was to assess the effectiveness of FHFA\xe2\x80\x99s oversight of those programs.\n\n                  What OIG Found\n                  Key aspects of FHFA\xe2\x80\x99s oversight of enterprise information security and privacy\n                  programs were ineffective during our January 2010 to November 2012 audit period.\n                  The agency did not issue formal information security and privacy guidance to the\n                  enterprises, complete a risk assessment for information security and privacy necessary\n                  to support the annual examination plan, conduct ongoing monitoring of some key IT\n                  security issues, or address some previously identified findings regarding information\n                  security. FHFA began making a series of changes to the units responsible for its IT\n                  examination activities in 2011 that limited the resources available to conduct this\n                  work. Agency officials stated that 2012 was a transition year that presented challenges\n                  in hiring staff to address skills shortages as reasons for reduced oversight. If these\n                  issues persist, FHFA will be unable to provide adequate information security and\n                  privacy program oversight, endangering the confidentiality, integrity, availability, and\n                  reliability of crucial enterprise information systems and data and increasing the risk to\n                  the safety and soundness of the enterprises.\n                  Further, FHFA does not have an adequate process to support reliance on the work of\n                  the enterprise internal audit divisions related to information security. Although\n                  guidance states that FHFA examiners review outstanding issues and assess staff levels\n                  and skills of internal auditors, these activities alone are insufficient for establishing\n                  reliance. In 2011, an FHFA examination team used, but did not independently verify,\n                  the work of an enterprise internal audit division as the basis for identifying issues in\n                  the enterprise\xe2\x80\x99s privacy program that required action. FHFA\xe2\x80\x99s reliance on enterprise\n                  internal audit work\xe2\x80\x94without properly establishing and documenting reliance\xe2\x80\x94\n                  increases the risk that examination analysis and results could be based on inaccurate\n                  or unsubstantiated work.\n\x0c                  What OIG Recommends\n                  To strengthen its oversight of enterprise information security and privacy programs,\n                  FHFA should: (1) establish formal program requirements, (2) implement a workforce\n                  plan for IT examination staffing, (3) complete required risk assessments,\n                  (4) consistently deploy tools for monitoring IT security activities, and (5) establish\n                  and document a process for placing reliance on enterprise internal audit activities.\n\n\nSynopsis\n    \xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nAugust 30, 2013\n\x0cTABLE OF CONTENTS ................................................................\n\nABBREVIATIONS .........................................................................................................................5\n\nPREFACE ........................................................................................................................................6\n\nCONTEXT .......................................................................................................................................7\n      Enterprises Information Security and Privacy Programs..........................................................7\n      FHFA Oversight of Enterprise Information Security and Privacy Programs ...........................8\n\nFINDINGS .....................................................................................................................................11\n      1.     Ineffective Oversight of Enterprise Information Security and Privacy Programs ..........11\n              FHFA Did Not Perform Some Key Oversight Activities ...............................................11\n              Resources Constraints Limited FHFA Oversight Activities...........................................12\n              Lack of Clear Requirements Puts Information Security at Risk .....................................13\n      2.     FHFA Did Not Justify Its Reliance on Internal Audit Work ..........................................14\n\nCONCLUSIONS............................................................................................................................16\n\nRECOMMENDATIONS ...............................................................................................................16\n\nOBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................17\n\nAPPENDIX A ................................................................................................................................18\n      FHFA\xe2\x80\x99s Comments on OIG\xe2\x80\x99s Findings and Recommendations ............................................18\n\nAPPENDIX B ................................................................................................................................21\n      OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments .................................................................................21\n\nAPPENDIX C ................................................................................................................................23\n      Summary of Management\xe2\x80\x99s Comments on the Recommendations ........................................23\n\nADDITIONAL INFORMATION AND COPIES .........................................................................25\n\n\n\n\n                                           OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                                                4\n\x0cABBREVIATIONS .......................................................................\n\nDEPS               Division of Examination Programs and Support\n\nDER                Division of Enterprise Regulation\n\nDSPS               Division of Supervision Policy and Support\n\nFFIEC              Federal Financial Institutions Examination Council\n\nISO                International Organization for Standardization\n\nMRA                matter requiring attention\n\nPPI                personal protected information\n\n\n\n\n                          OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                      5\n\x0cPREFACE ...................................................................................\n\nFannie Mae and Freddie Mac store personal protected information\xe2\x80\x94PPI includes social\nsecurity numbers, names, addresses, and other such data\xe2\x80\x94for more than 28 million active\nborrowers.1 Because PPI is frequently exploited for identity theft or other fraudulent activity,\nthe enterprises must maintain information security and privacy programs to ensure the safety\nof individuals\xe2\x80\x99 data. Such programs also help to ensure the confidentiality, integrity, and\navailability of other restricted information, such as economic data, that is critical to enterprise\nbusiness processes, financial management, compliance with laws and regulation, and\nreputation. Further, because FHFA and other organizations rely on this information to\nperform crucial oversight activities, the data must be reliable and secure.\n\nFHFA is responsible for effectively supervising and regulating Fannie Mae and Freddie Mac\nto promote their safety and soundness. The objective of this audit was to assess the\neffectiveness of FHFA\xe2\x80\x99s oversight of enterprise information security and privacy programs\nfrom January 2010 to November 2012. We are authorized to conduct audits, evaluations,\ninvestigations, and other law enforcement activities pertaining to FHFA\xe2\x80\x99s programs and\noperations. As a result of our work, we may recommend policies that promote economy and\nefficiency in administering FHFA\xe2\x80\x99s programs and operations, or that prevent and detect fraud\nand abuse in them. We believe that this report\xe2\x80\x99s recommendations (along with those in prior\nreports) will increase FHFA\xe2\x80\x99s assurance that the enterprises are operating safely and soundly,\nand that their assets are preserved and conserved.\n\nWe appreciate the cooperation of all those who contributed to this audit, which was led by\nBrent Melson, Director, who was assisted by Joseph Nelson, Lars Hansen, and Andrew\nGegor.\n\nThis audit report has been distributed to Congress, the Office of Management and Budget, and\nothers, and will be posted on our website, www.fhfaoig.gov.\n\n\n\n\nRussell A. Rau\nDeputy Inspector General for Audits\n\n\n\n\n1\n  PPI is the enterprise term for the commonly known terms \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d or \xe2\x80\x9cnonpublic\ninformation.\xe2\x80\x9d\n\n\n\n                                  OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                          6\n\x0cCONTEXT ..................................................................................\n\nIn recent testimony before Congress, the executive assistant director for the Federal Bureau of\nInvestigation\xe2\x80\x99s Criminal, Cyber, Response, and Services Branch testified that the frequency\nand impact of cyber attacks on our nation\xe2\x80\x99s private sector and government networks have\nincreased dramatically in the past decade and are expected to continue to grow.2 The Financial\nStability Oversight Council, which monitors the U.S. financial system, has also recognized\nthe growing threat of coordinated cyber attacks against financial services companies.3 It\nrecommended in its 2013 Annual Report that:\n\n      \xef\x82\xb7   Financial regulators continue to review and update their examination policies and\n          guidance for information security in light of the evolving threat environment; and\n      \xef\x82\xb7   Government agencies enhance information sharing between the public and private\n          sectors and work with the private sector to assess the effects of cyber attacks.\n\nIn this environment, it is particularly important for FHFA to ensure that the enterprises are\nresponding to emerging threats and safeguarding sensitive information, including PPI.\n\nEnterprise Information Security and Privacy Programs\n\nThe enterprises are legally required to protect PPI by following the information security\nguidelines of the Gramm-Leach-Bliley Act.4 These guidelines require financial institutions\nto implement a comprehensive information security program to ensure the safety and\nconfidentiality of customer information. The guidelines do not require specific technical\ncontrols; instead, they require developing and implementing a broad risk management\nprogram that addresses risk identification and assessment, implementing policies and\nprocedures to mitigate risks, training employees, reporting, and involving and obtaining the\napproval of a board of directors.\n\nTherefore, the enterprises maintain information security programs to safeguard data, computer\nsystems, and facilities that process and maintain PPI and other sensitive information. Before\nour audit period, FHFA had identified a number of matters requiring attention (MRAs)\nregarding these programs, including the need to hire a chief information security officer;\n\n\n2\n Richard A. McFeely, Executive Assistant Director, Criminal, Cyber, Response, and Services Branch, FBI,\nStatement before the Senate Appropriations Committee (June 12, 2013). Accessed August 20, 2013, at\nhttp://www.fbi.gov/news/testimony/cyber-security-preparing-for-and-responding-to-the-enduring-threat.\n3\n  Financial Stability Oversight Council, 2013 Annual Report (April 25, 2013). Accessed August 20, 2013, at\nhttp://www.treasury.gov/initiatives/fsoc/Documents/FSOC%202013%20Annual%20Report.pdf.\n4\n    Public Law 106\xe2\x80\x93102.\n\n\n\n                                  OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                       7\n\x0cestablish a chief information security office; develop and implement information security and\nprivacy management programs; and improve controls over system access management,\nincluding user access provisioning and quarterly access recertification reviews. (See below for\nmore information on FHFA\xe2\x80\x99s oversight of the enterprises\xe2\x80\x99 programs.)\n\nAfter the MRAs were issued, Fannie Mae conducted a baseline assessment of its information\nsecurity program against the International Organization for Standardization (ISO) 270001/2\nframeworks for compliance.5 The ISO frameworks were adopted, and a three-year plan was\napproved to build out the information security program based on the ISO framework. In\naddition, Freddie Mac aligned its information security program with the ISO 270001/2\nframework. The ISO standards are widely used and leveraged by national and multinational\nfirms, from financial institutions like Barclays to cloud computing services like Amazon.\n\nFHFA Oversight of Enterprise Information Security and Privacy Programs\n\nFHFA provides the enterprises with formal guidance designed to direct their activities and\nhelp achieve mission-critical goals and objectives. Reports are provided to enterprise\nmanagement documenting the results of regular examinations, ongoing monitoring, and\nspecial projects. FHFA examiners issue MRAs to highlight specific actions the enterprises\nneed to take to address identified deficiencies.\n\nAt the start of conservatorship, all information security and privacy examination work was\nconducted by the Division of Enterprise Regulation (DER). Beginning in March 2011, a series\nof management changes altered the division of oversight duties. From April 2011 to\nSeptember 2012, the Division of Examination Programs and Support (DEPS) was assigned\nresponsibility for conducting information security and privacy examinations at the enterprises.\nBeginning in October 2012, responsibility for conducting information security and privacy\nexaminations was transferred back to DER.\n\nIn addition to issuing the annual report of examinations, DER conducts oversight activities as\nfollows:\n\n    \xef\x82\xb7   Targeted exams to assess a particular area, product, risk, or activity of an enterprise,\n        typically through information-gathering meetings and review of specialized reports.\n\n\n\n5\n  ISO/IEC 27001:2005 covers various types of organizations (e.g., commercial enterprises, government\nagencies, nonprofit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing,\nimplementing, operating, monitoring, reviewing, maintaining, and improving a documented information\nsecurity management system within the context of an organization\xe2\x80\x99s overall business risks. It specifies\nrequirements for the implementation of security controls customized to the needs of individual organizations or\nparts thereof.\n\n\n\n                                   OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                           8\n\x0c   \xef\x82\xb7   Ongoing monitoring, in real time, of enterprise operations. Continuous supervision\n       activities are a significant component of the supervision program. Regularly scheduled\n       reports, risk metrics, and recurring meetings are used in these activities.\n   \xef\x82\xb7   Special projects, including task forces, work groups, or study committees, made up of\n       examiners or analysts with specific tasks and goals.\n   \xef\x82\xb7   MRAs to verify if the enterprise has taken action required for safe and sound\n       operations.\n\nCurrently, the Division of Supervision Policy and Support (DSPS) is responsible for\ndeveloping examination guidance and standards. It plays a critical role in supervisory\nplanning activities and advising DER regarding ongoing supervision at the enterprises. DSPS\nis in the process of revamping all of the enterprise examination modules, including the IT\nexamination modules. As of the end of our audit fieldwork, the examination modules\nremained in draft format. DSPS and DER planned to finalize their strategy, supervisory plan,\nrisk assessments, programs, and all other documents used to support their supervision and\noversight in 2013. Draft examination manual modules for 25 subject areas were issued in May\n2012 with specific instructions that they be used for all enterprise examination activities going\nforward. Three of the 25 areas pertained to IT and address, among other things:\n\n   \xef\x82\xb7   Guidance suggesting that an effective information security program include the\n       regulated entity\xe2\x80\x99s privacy program.\n   \xef\x82\xb7   Roles and responsibilities for developing and implementing an effective security\n       program that succeeds in protecting regulated entity information and the systems that\n       support that information.\n   \xef\x82\xb7   The security objectives to be achieved (availability of information, integrity of\n       information, confidentiality of data and systems, accountability enforcing\n       nonrepudiation, and assurance that security measures work as intended).\n   \xef\x82\xb7   Specific policies and processes for information security risk assessments; information\n       security strategy; information security controls implementation; and information\n       security monitoring, testing, and updating.\n\nAt the conclusion of our fieldwork, DSPS was \xe2\x80\x9cfield testing\xe2\x80\x9d all modules.\n\nSince 2010, FHFA has completed two targeted information security and privacy\nexaminations\xe2\x80\x94one at Freddie Mac and one at Fannie Mae. An overall assessment of the\nenterprises\xe2\x80\x99 information security program was not performed, and independent testing,\nparticularly at the system level, was limited. FHFA management stated that they place a\nheavy reliance on ongoing monitoring activities and conduct targeted examinations only if the\nrisk is determined to be high or based on a need established in previous work. FHFA adopted\n\n\n                              OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                  9\n\x0cthis approach without establishing and communicating to the enterprises a baseline of key\ninformation security controls. There was no established basis for determining the specific type\nof information security review to conduct. DEPS management stated that each year before\n2013, DEPS performed a risk assessment on the IT universe, which included information\nsecurity and privacy at each enterprise, to determine the examination plan for the following\nyear. Notwithstanding potential shortcomings in the examination coverage, FHFA examiners\ndocumented information security concerns at both enterprises, largely through review of\ninternal audits performed by the enterprises. These concerns are summarized below.\n\nFHFA\xe2\x80\x99s last examination of information security and privacy at Freddie Mac was limited to\nthe effect of the chief information security officer\xe2\x80\x99s departure, controls over and management\nof remote access, the employee information security awareness program, and progress on a\nsecurity access project. FHFA examiners determined that a new chief information security\nofficer had been hired, that controls over and management of remote access systems were\nadequate, employee awareness training was conducted at appropriate intervals, and that the\nsecurity access project was progressing as planned. FHFA\xe2\x80\x99s examiners concluded that privacy\nwas a high-risk concern, in part because privacy controls depended on information security\nsolutions that would not be completed until 2012\xe2\x80\x932013. FHFA\xe2\x80\x99s last information security and\nprivacy examination of Fannie Mae, conducted in 2011 and reported in 2012, was limited to\nremote access controls and the effectiveness of information security training and privacy\ngovernance. FHFA noted that Fannie Mae needed to expand its mandatory information\nsecurity awareness training program.\n\n\n\n\n                             OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                 10\n\x0cFINDINGS .................................................................................\n\n1. Ineffective Oversight of Enterprise Information Security and Privacy Programs\n\n      FHFA Did Not Perform Some Key Oversight Activities\n\nFHFA did not effectively and consistently oversee enterprise information security and privacy\nprograms during our January 2010 to November 2012 audit period. First, FHFA has not\nestablished formal requirements or guidance governing enterprise information security\nprograms, including the enterprises\xe2\x80\x99 adoption of ISO standards. Although the agency provided\ninformal guidance to Fannie Mae through a number of meetings with management and\nfollow-up on outstanding MRAs, it did not do so for Freddie Mac. FHFA is authorized to\nissue prudential management and operation standards under the Federal Housing Enterprises\nFinancial Safety and Soundness Act, as well as provide direction to the enterprises through\nvarious other authorities.6 Such standards are essential for the enterprises to use for\ndeveloping and maintaining their information security programs and for FHFA examiners to\nassess those programs as required by the DER Supervision Handbook. Other federal oversight\nentities have established such requirements. For example, the Federal Deposit Insurance\nCorporation, which oversees many commercial banks, has established and issued information\nsecurity standards for the banks it regulates as part of its standards for safety and soundness.7\n\nSecond, FHFA did not complete its annual enterprise IT risk assessment for 2012 as required\nby the DER Supervisory Guide. Specifically, information security and privacy risks were not\nlisted and evaluated for 2012 to identify and analyze significant risks and supervisory\nconcerns. According to the guide, a risk assessment is conducted to provide a blueprint for\nsupervision on the foundation of the business profile and to provide support for a midyear\nletter and the report of examination.\n\nThus, the 2012 Enterprise Supervision Plan for Information Technology, which summarizes\nFHFA\xe2\x80\x99s plans for its oversight of enterprise information technology planning and\nmanagement in support of their mission to promote the enterprises\xe2\x80\x99 safety and soundness, was\ndeveloped without leveraging the results of a comprehensive IT risk assessment. FHFA\nmanagement stated that they conducted a three-day planning exercise, which led to the\ndevelopment of the entire 2013 examination plan.\n\n\n\n6\n    12 U.S.C. 4513.\n7\n Federal Deposit Insurance Corporation, \xe2\x80\x9cAppendix B to Part 364\xe2\x80\x94Interagency Guidelines Establishing\nInformation Security Standards,\xe2\x80\x9d FDIC Rules, Regulations, and Related Acts (February 28, 2013). Accessed\nAugust 20, 2013, at http://www.fdic.gov/regulations/laws/rules/2000-8660.html.\n\n\n\n                                 OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                      11\n\x0cThird, in 2012, FHFA IT examiners halted key ongoing monitoring activities for information\nsecurity and privacy at the enterprises despite concerns cited in targeted examination reports\n(January 2012 for Fannie Mae and February 2012 for Freddie Mac). These concerns, which\nincluded issues related to IT governance, business continuity planning and disaster recovery,\ninformation and network security, privacy, legacy IT infrastructure, and IT outsourcing, were\ncited in FHFA\xe2\x80\x99s 2012 supervision plan. In its plan, FHFA states, \xe2\x80\x9cWe will continue to focus\nour ongoing monitoring in these areas during 2012.\xe2\x80\x9d However, FHFA performed no related\nmonitoring through November 2012.\n\nFourth, for monitoring activities that occurred in 2010 and 2011, FHFA was unable to provide\nevidence that identified information security issues were resolved. Through ongoing\nmonitoring in 2010 and 2011, FHFA documented issues and known vulnerabilities, including\none related to malicious code vulnerabilities at one of the enterprises. However, FHFA did not\nchallenge the enterprise to remediate the malicious code vulnerabilities in a timely manner.\nThe code was later exploited by a hacker who brought down three of the enterprise\xe2\x80\x99s four\npublic-facing webservers. After the attack, the enterprise identified eight other applications\nwith PPI that contained the same vulnerabilities.\n\n   Resources Constraints Limited FHFA Oversight Activities\n\nDER officials said that insufficient resources and technical skills prevented them from\ndeveloping formal information security and privacy guidance for the enterprises and from\ncompleting the 2012 risk assessment and supervision plan. They also stated that there was no\nhiring plan designed to fill shortages in technical skills. FHFA has since developed a\nworkforce plan to address the staffing issues, but has not fully implemented the plan. FHFA\nhas engaged a contractor to help develop and complete supervisory examination policy,\nguidance, and standards.\n\nIn addition, the changes made to FHFA\xe2\x80\x99s oversight units, including transitioning activities\nfrom DER to DEPS and the additional management changes made beginning in 2011,\ncoincide with the drop-off in monitoring and follow-up activities. In 2010, FHFA examiners\nwere actively involved with the oversight of the information security and privacy programs at\nthe enterprises. They met with enterprise officials monthly, wrote memos, worked on\nremediating information security and privacy MRAs, and raised numerous concerns regarding\nthe status of enterprise information security and privacy programs. A similar level of\noversight continued for the first quarter of 2011, at which time the reorganization was\nconducted and key management and examiners responsible for overseeing the enterprise\ninformation security and privacy programs departed.\n\nIn the third quarter of 2011, FHFA conducted its targeted examinations of the programs with\nthe help of DEPS staff. An MRA was issued regarding Freddie Mac\xe2\x80\x99s privacy program and\n\n\n                             OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                12\n\x0cthe supervisory rating for the program was rated \xe2\x80\x9cSignificant Concerns.\xe2\x80\x9d8 According to FHFA\nmanagement, no ongoing monitoring work related to information security was conducted,\nother than remediation work associated with the MRA. Specifically, an FHFA official\nreported being directed by FHFA management to forgo ongoing monitoring activities in lieu\nof completing the schedule of targeted examinations for 2012. FHFA officials also attributed\nthe agency\xe2\x80\x99s lack of follow-up on issues identified during previous years\xe2\x80\x99 ongoing monitoring\nactivities to the fact that they did not consistently deploy automated tools to track and monitor\nthose issues.\n\n    Lack of Clear Requirements Puts Information Security at Risk\n\nBecause FHFA has not defined and issued clear regulatory requirements for information\nsecurity and privacy, the agency cannot fully determine the adequacy of the enterprises\xe2\x80\x99\ncompliance with the ISO standards. Moreover, without a properly completed and approved IT\nrisk assessment, FHFA may not focus its limited resources on the highest information security\npriorities nor be prepared for the upcoming examination period. In particular, high-risk areas\nmay be excluded from the examination scope. In addition, the IT supervisory plan may not be\ncomprehensive and may exclude critical security components. As such, the enterprises may be\nat greater risk of cyber attacks against their computers and networks, potentially endangering\nthe confidentiality, integrity, availability, and reliability of information systems and sensitive\ninformation and increasing the risk to their safety and soundness.\n\n\n\n\n8\n  \xe2\x80\x9cSignificant Concerns\xe2\x80\x9d is defined by FHFA as deficiencies that are complex, potentially high risk, and\nrequire significant remediation efforts.\n\n\n\n                                   OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                    13\n\x0c2. FHFA Did Not Justify Its Reliance on Internal Audit Work\n\nFHFA does not have an adequate process to support reliance on the work of the enterprises\xe2\x80\x99\ninternal audit divisions. FHFA IT Risk Management Program Guidance directs examination\nteams to \xe2\x80\x9creview internal audit reports for outstanding issues relating to information\ntechnology risk management program\xe2\x80\x9d and \xe2\x80\x9cdetermine if the internal audit staff is adequate in\nnumber and is technically competent to accomplish its mission.\xe2\x80\x9d However, these activities\nalone are insufficient for establishing formal reliance unless supplemented by verification\nprocedures associated with specific audit work performed and compliance with professional\nstandards on those audits, particularly if the audit results are the basis for examination\nconclusions and findings.9\n\nFHFA\xe2\x80\x99s IT Risk Management Program is based on Federal Financial Institutions Examination\nCouncil (FFIEC) examination standards, which provide guidance on the activities that\nexaminers should take to justify placing reliance on the work of internal audit. 10 The FFIEC\nguidance includes a two-tiered system to help examiners determine the quality and\neffectiveness of an IT audit function. Specifically, the guidance includes objectives and\nprocedures to determine:\n\n     (1)   If the institution has implemented an effective audit function that may be relied\n           upon to identify and manage risks; and\n\n     (2)   If the audit work may be relied upon in determining the scope of the IT\n           examination for those areas.\n\nThe guidance states that examiners should review past reports for outstanding issues, previous\nproblems, or high-risk areas with insufficient coverage related to IT; determine the\ncompetency and sufficiency of the IT audit staff; and review work papers for completeness\nand compliance with standards. The Federal Reserve Board of Governors has also issued\nexamination guidance on the Federal Reserve supervisory assessment of the overall\neffectiveness of an institution\xe2\x80\x99s internal audit function and considerations relating to the\npotential reliance by Federal Reserve examiners on an institution\xe2\x80\x99s internal audit work.11 The\n9\n External auditors auditing the financial statements of the enterprises also have procedures related to reliance\non internal audit functions. See American Institute of CPAs, \xe2\x80\x9cThe Auditor's Consideration of the Internal Audit\nFunction in an Audit of Financial Statements,\xe2\x80\x9d Statement on Auditing Standards 65. Accessed June 21, 2013,\nat http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00322.pdf. SAS 65\nprovides guidance on considering the work of internal auditors and on using internal auditors to provide direct\nassistance to the auditor in an audit performed in accordance with generally accepted auditing standards.\n10\n  FFIEC, IT Examination Handbook (April 2012). Accessed August 20, 2013, at\nhttp://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.\n11\n  Board of Governors of the Federal Reserve System, \xe2\x80\x9cSection 5.B: Relying on the Work Performed by\nInternal Audit,\xe2\x80\x9d Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing (January\n13, 2013). Accessed August 20, 2013, at http://www.federalreserve.gov/bankinforeg/srletters/sr1301a1.pdf.\n\n\n                                   OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                            14\n\x0cFederal Reserve guidance directs Federal Reserve examiners to review work papers when\nrelying on internal audit work:\n\n       Work papers document the work performed, observations and analyses made,\n       and support for the conclusions and audit results. The work papers should\n       contain sufficient information regarding any scope or audit program\n       modifications and waiver of issues not included in the final report.\n\nIn addition, the Federal Reserve guidance states that:\n\n       Examiners may choose to rely on the work of internal audit when internal\n       audit\xe2\x80\x99s overall function and related processes are effective and when recent\n       work was performed by internal audit in an area where examiners are\n       performing examination procedures.\n\nNonetheless, Freddie Mac\xe2\x80\x99s DER examination team relied solely on the work of Freddie\nMac\xe2\x80\x99s Internal Audit division as the basis for its 2011 MRA on Freddie Mac\xe2\x80\x99s privacy\nprogram. It did so without establishing or documenting a basis for reliance as called for in the\nFFIEC and Federal Reserve guidance. Moreover, FHFA was unable to provide evidence that\nindependent verification work was conducted by the core examination team to support the\nissues captured within the privacy MRA. FHFA\xe2\x80\x99s continued reliance on enterprise internal\naudit work\xe2\x80\x94without establishing a basis for reliance including verification procedures (e.g.,\nreview of work papers) on specific audits\xe2\x80\x94increases the risk that examination analyses and\nresults could be based on incomplete, inaccurate, or unsubstantiated work and result in poor\nexamination planning, execution, or reporting.\n\n\n\n\n                              OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                 15\n\x0cCONCLUSIONS ..........................................................................\n\nFHFA\xe2\x80\x99s oversight of enterprise information security and privacy programs has not been\nsufficient to ensure the safety and soundness of the enterprises. The absence of formal\nguidance, incomplete risk assessment, and lack of ongoing monitoring and follow-up has left\nFHFA inadequately informed about the state of information security and privacy controls.\nWhen the enterprise programs were undergoing major changes, FHFA was not actively\nengaged with enterprise management. Such a time is when guidance is needed the most.\nFurther, identified risks were never followed up on, which potentially led to a vulnerability\nbeing exploited. FHFA must ensure that identified risks are documented, followed up on, and\nconsidered for future activities. In addition, a robust risk assessment and ongoing monitoring\nprogram related to information security and privacy must be established. Such a program\nshould help establish complete coverage of risks identified by the enterprises and FHFA\nexaminers, in addition to following existing FHFA policies.\n\n\n\n\nRECOMMENDATIONS ...............................................................\n\nTo strengthen its enterprise information security and privacy programs, FHFA should:\n\n   1. Define and issue enterprise information security and privacy program requirements.\n\n   2. Implement the workforce plan and ensure the plan of action addresses the need to\n      have an adequate number of IT examiners. Specifically, FHFA should provide an\n      appropriate level of management oversight during the annual supervisory examination\n      planning and execution processes to ensure completion of the annual plan and\n      compliance with established IT examination policies and procedures.\n\n   3. Ensure that planning for future IT examinations is based on fully executed risk\n      assessments, as required by FHFA policy.\n\n   4. Consistently deploy the automated tools needed for ongoing monitoring and tracking\n      of previously identified security and privacy issues in order to enhance the efficiency\n      and effectiveness of the examination process.\n\n   5. Establish and document a process for placing formal reliance on the work of internal\n      audit divisions at the enterprises.\n\n\n\n\n                             OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                16\n\x0cOBJECTIVE, SCOPE, AND METHODOLOGY .................................\n\nThe objective of this performance audit was to assess the effectiveness of FHFA\xe2\x80\x99s oversight\nof enterprise information security and privacy programs.\n\nWe performed fieldwork for this audit from December 2012 through April 2013. We\nconducted this audit at FHFA\xe2\x80\x99s office in Washington, D.C., Fannie Mae\xe2\x80\x99s office in\nWashington, D.C., and Freddie Mac\xe2\x80\x99s office in McLean, Virginia. We interviewed FHFA,\nFannie Mae, and Freddie Mac personnel.\n\nThe scope of our audit included all examinations related to information security and privacy\nconducted at the enterprises from January 2010 to November 2012. We relied on computer-\nprocessed and hardcopy data from FHFA.\n\nTo achieve the audit objective, we interviewed FHFA and enterprise management and\nreviewed documentation provided by FHFA. We also assessed the internal controls related\nto our audit objective. Internal controls are an integral component of an organization\xe2\x80\x99s\nmanagement. They provide reasonable assurance that the following objectives are achieved:\n\n   \xef\x82\xb7   Effectiveness and efficiency of operations, and\n   \xef\x82\xb7   Compliance with applicable laws and regulations.\n\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet its\nmission, goals, and objectives, and include the processes and procedures for planning,\norganizing, directing, and controlling program operations as well as the systems for\nmeasuring, reporting, and monitoring program performance. Based on the work completed\non this performance audit, we consider weaknesses in FHFA\xe2\x80\x99s supervisory oversight of\nenterprise information security and privacy programs to be significant in the context of the\naudit\xe2\x80\x99s objective.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that auditors plan audits and obtain sufficient,\nappropriate evidence to provide a reasonable basis for the findings and conclusions based on\nthe audit objective. We believe that the evidence obtained provides a reasonable basis for the\nfindings and conclusions included herein, based on our audit objective.\n\n\n\n\n                             OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                17\n\x0cAPPENDIX A .............................................................................\nFHFA\xe2\x80\x99s Comments on OIG\xe2\x80\x99s Findings and Recommendations\n\n\n\n\n                          OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                         18\n\x0cOIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013   19\n\x0cOIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013   20\n\x0cAPPENDIX B..............................................................................\n\nOIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nOn August 6, 2013, FHFA provided comments on a draft of this report, agreeing with the\nrecommendations and identifying FHFA actions to address them.\n\nFHFA stated it concurs with the recommendations and has adopted a new approach to\nsupervision subsequent to the audit period ending November 2012. FHFA stated that\nsupervisory teams have been establishing ongoing monitoring programs, conducting\nexaminations, preparing business profiles, developing risk assessments for supervisory\nplanning, and working to establish information systems to support the current supervisory\nprogram.\n\nFHFA plans to implement the audit recommendations by finalizing examination guidance to\nits staff that sets forth expectations for the evaluation of programs to manage IT risk.12 The\nfinal examination guidance will be shared with the enterprises. FHFA will establish and issue\nto the enterprises formal supervisory expectations for enterprise information security and\nprivacy programs. FHFA has increased its IT examination staff, and stated that it has\nincreased management oversight of IT risks during the annual supervisory examination\nplanning and execution processes, and will identify supervisory risks that will be used to\nprepare the risk-based 2014 examination plan. FHFA stated that it is in the process of\nproviding the technology to FHFA\xe2\x80\x99s supervision divisions to produce a consistent and unified\ndocument management and business collaboration solution that will facilitate an automated\ncapability to monitor and track enterprise supervisory issues. Until the technology is fully\nimplemented, FHFA will communicate to its examination staff protocols for escalating and\nmonitoring issues arising from supervisory activity. Finally, FHFA will issue guidance to its\nexamination staff regarding when reliance on the work of enterprise internal audit is\nappropriate and how such reliance should be documented.13\n\nWe consider FHFA\xe2\x80\x99s actions to be sufficient to resolve the recommendations, which will\nremain open until we determine that the agreed corrective actions are completed and\n\n12\n   FHFA recently released final examination modules addressing business continuity planning, enterprise-wide\nrisk management, and information technology risk management. These modules are general targeted exam\nguidance and not specific to information security or privacy. An advisory bulletin targeted for April 15, 2014,\nwill more specifically address information security and privacy.\n13\n  The term \xe2\x80\x9creliance\xe2\x80\x9d in the context of financial institution supervision differs from that used in auditing. For\npurposes of our report, we use the term based on FFIEC guidance (see footnote 10). While external auditors\nperforming financial statement audits often rely on assistance from internal audit functions, FHFA stated that\nexaminers will not rely on enterprise internal audit work in a fashion similar to that used by the auditing\nprofession and accept findings without performing critical independent analysis.\n\n\n\n                                    OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                            21\n\x0cresponsive to the recommendations. We have attached the agency\xe2\x80\x99s full response (see\nAppendix A), which was considered in finalizing this report. Appendix C provides a summary\nof management\xe2\x80\x99s comments on the recommendations and the status of agreed corrective\nactions.\n\n\n\n\n                            OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                             22\n\x0cAPPENDIX C ..............................................................................\n\nSummary of Management\xe2\x80\x99s Comments on the Recommendations\n\nThis table presents management\xe2\x80\x99s response to the recommendations in our report and the\nstatus of their resolution as of the date when the report was issued.\n\n                                                       Expected\n  Rec.             Corrective Action:                 Completion   Monetary   Resolveda   Open or\n                                                                                                b\n  No.              Taken or Planned                      Date      Benefits   Yes or No   Closed\n         FHFA has finalized guidance, including\n         the IT Risk Management module, and\n         will formally issue supervisory\n   1                                                  4/15/2014       $0        Yes        Open\n         expectations and an advisory bulletin\n         for enterprise information security\n         and privacy programs.\n         FHFA increased its IT examination\n         staff in 2013 and clarified that it will\n         hire an additional IT examiner by\n         9/30/2014. FHFA also agrees to\n   2     consider and document changes to its         9/30/2014       $0        Yes        Open\n         oversight of IT risk as part of its annual\n         examination planning process. This\n         action will be completed by\n         12/31/2013.\n         FHFA agrees to issue examination\n         guidance to formalize and clarify\n   3     expectations related to IT                   12/31/2013      $0        Yes        Open\n         examination planning and risk\n         assessments.\n         FHFA agrees to implement technology\n         to produce a consistent and unified\n         document management and business\n         collaboration solution to monitor and\n   4     track enterprise supervisory issues. In      12/31/2013      $0        Yes        Open\n         the interim, DER will issue guidance to\n         examination staff for escalating and\n         monitoring issues arising from\n         supervisory activity.\n         FHFA agrees to issue guidance on\n         placing formal reliance on the work of\n   5                                                  12/31/2013      $0        Yes        Open\n         internal audit divisions at the\n         enterprises.\n\n\n                                OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                23\n\x0ca\n  Resolved means: (1) management agrees with the recommendation, and the planned, ongoing, or completed\ncorrective action is consistent with the recommendation; (2) management does not agree with the recommendation,\nbut alternative action meets the intent of the recommendation; or (3) management agrees to the monetary benefits, a\ndifferent amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an\namount.\nb\n  Once we determine that the agreed corrective actions have been completed and are responsive to the\nrecommendations, the recommendations can be closed.\n\n\n\n\n                                   OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                                           24\n\x0cADDITIONAL INFORMATION AND COPIES .................................\n\nFor additional copies of this report:\n\n   \xef\x82\xb7   Call: 202\xe2\x80\x93730\xe2\x80\x930880\n   \xef\x82\xb7   Fax: 202\xe2\x80\x93318\xe2\x80\x930239\n   \xef\x82\xb7   Visit: www.fhfaoig.gov\n\n\n\nTo report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to FHFA\xe2\x80\x99s programs or operations:\n\n   \xef\x82\xb7   Call: 1\xe2\x80\x93800\xe2\x80\x93793\xe2\x80\x937724\n   \xef\x82\xb7   Fax: 202\xe2\x80\x93318\xe2\x80\x930358\n   \xef\x82\xb7   Visit: www.fhfaoig.gov/ReportFraud\n   \xef\x82\xb7   Write:\n                FHFA Office of Inspector General\n                Attn: Office of Investigation \xe2\x80\x93 Hotline\n                400 Seventh Street, S.W.\n                Washington, DC 20024\n\n\n\n\n                              OIG \xef\x82\xb7 AUD-2013-009 \xef\x82\xb7 August 30, 2013                         25\n\x0c"